WH Smith fell victim to a cyber attack last week, with hackers gaining access to confidential employee details and sparking questions about HR’s role in digital security.
The high street retailer revealed that data including names, addresses, National Insurance numbers and dates of birth had been breached. The leak includes details of current employees but also former staff who remain on the company’s database.
WH Smith did not say how many current and ex-employees had been affected, but the company employs about 10,000 people in the UK.
Customer accounts and customer databases are not affected, the firm said, while confirming that an investigation had been launched.
A statement published to the London Stock Exchange said: “WH Smith PLC has been the target of a cyber security incident which has resulted in illegal access to some company data, including current and former employee data. Upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services and implemented our incident response plans, which included notifying the relevant authorities.
“WH Smith takes the issue of cyber security extremely seriously and investigations into the incident are ongoing. We are notifying all affected colleagues and have put measures in place to support them.
“There has been no impact on the trading activities of the Group. Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident.”
The Information Commissioner's Office has also launched a probe into the matter.
Why cyber security is not just an issue for IT, but for HR as well
The top brass at WH Smith are already looking into how such a breach occurred. Naturally their attention will be on strengthening their IT prowess. So this is an IT issue right, as opposed to something HR should be addressing too? Not exactly.
The ICO and UK government both state that the number one cause for data breaches in the UK is human error, so it’s vital to get the human element of your cybersecurity in check.
If your cybersecurity is compromised and details of salaries, mental health treatments, family members, payment info or full identities are compromised, it’ll be HR working around the clock to pick up the pieces. Secondly, under the Data Protection Act of 2018 and the GDPR, HR holds both personal and sensitive information that must be stored, accessed, secured and processed in compliant ways.
Payroll Outsourcing: Why now and how to excel
Payroll outsourcing is growing in popularity in the UK with recent studies showing that almost half (45.6%) of companies expressing a desire to outsource their payroll to a third-party provider.
The recent changes in ways of working have tested HR and payroll departments, forcing organisations to overhaul their strategies and review which areas of HR are most vital to long term success. This evaluation has led to renewed attention for a managed payroll.
Download this eBook from SD Worx and explore the benefits of payroll outsourcing, review real world case studies and learn the groundwork required for resilient future-facing strategies including:
How to empower HR teams through payroll outsourcing
Reducing risks and ensuring airtight compliance strategies
How payroll outsourcing facilitates the new way of working with technology and remote working
Lowering business costs in times of need
What to look for in selecting outsourced partners, the many types of partnership and how to select the best fit for your organisation
Step by step guide to creating a business case for payroll outsourcing to present to key stakeholders
Unfortunately, it’s not just something that even SMEs can “leave to IT”. Having thorough, frank discussions with your security and data protection personnel is vital to making sure that the information you keep – both the financially vulnerable stuff and the sensitive information of staff – is kept safe.
“By far, the most important thing for HR leaders to understand is that data protection is everyone’s responsibility,” explained Steve Ryan, Senior Consultant for security company BARR Advisory.
With the UK Government reporting that 39% of UK businesses suffered an attack in 2022 alone, and only 19% having a response plan in place should an attack occur, it’s clear that this is a huge gap in both resource and risk planning for British organisations.
Reporting and your obligations
Reporting from SMEs wasn’t as good as it should be, according to the report, mainly because of lack of detection. And even enterprise organisations failed to reach 100% detection and reporting last year.
Remember that your organisation is required to report cyber attacks and data breaches that aren’t from attacks to the Information Commissioner’s Office (ICO), as well as to any individuals (employees, suppliers, partners and customers) who were or may have been affected by the infringement. You have 72 hours to do this.
What can HR do to tighten up cybersecurity?
James Bore, a ‘cyber security hygienist’ and head of security consultancy Bores Group, believes that that 'data minimisation' is the key to beefing up your digital security.
“One of the most useful principles when you’re looking at personal data protection is data minimisation. You should only keep the data that you actually need. Anything sensitive should only be accessible when needed and should not be retained any longer than needed. When we’re dealing with HR, this can (and often does) involve highly sensitive personal data, and so any policy or other controls put in place should be clear on the technical and procedural safeguards around data.
“As an example, while health data may be important for accommodations to be made in the workplace, it’s rarely needed and so should be behind some form of gateway to be accessed when needed, not as a standard part of HR’s working day.”
Bore concludes: “Often, it’s not even necessary for HR to have specifics on employees for some of the most sensitive data (e.g., protected characteristics that fall under DE&I), and there are services who can act as guardians of the data – not holding any of the identities themselves, and providing the aggregate data that HR needs without putting anyone at risk by identifying or outing them in that summary.”
Sum it up
In summary, HR holds a lot of personal and highly sensitive information on employees, from the moment of recruitment the whole way through to retirement. You’ll also be the ones picking up the pieces should, for example, a member of your workforce, who may be part of the LGBT+ community, have their sexuality disclosed before they were comfortable with publicly sharing this information, or for it to be revealed that a team member has a chronic illness or for employees’ sensitive financial info to be breached.
The best time to review your cybersecurity methods is yesterday. The second best time is today.